Deletion of Volume Shadow Copies via WMI with PowerShell (21ff4ca9-f13a-41ad-b828-0077b2af2e40)
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) | Attack Pattern | Deletion of Volume Shadow Copies via WMI with PowerShell (21ff4ca9-f13a-41ad-b828-0077b2af2e40) | Sigma-Rules | 1 |